>> No, but I had thought they [CERT] had advertised themselves as a >> worthwhile place to report them [bugs], and my perception, and >> apparently that of many other people here, is that this is not the >> case. > It depends on your definition of "useful." If it is defined as "gets > the bug reports to all the vendors without also disclosing it to any > real or potential bad guys in the process; follows up the report to > make sure that the vendors are maybe working on it; and then provides > a wide-ranging, trusted announcement method to alert people when the > fixes are available" then it *is* worthwhile. True. However, it's what you _haven't_ said that I consider important. In particular, "without also disclosing it to any [...] bad guys": they also don't alert the other white hats that there is any danger, something that I consider must be done even if it means also telling the black hats there's a vulnerability. There are plenty of good channels of communication among the Dark Side; if you really think that confining your announcement of the hole to CERT will more than delay the crackers briefly, I think you're deluding yourself. If they really want to avoid spilling the beans entirely, CERT should at _least_ announce something like "there is a vulnerability in <foo>, we are working with vendors to develop patches" immediately, rather than delaying until patches are available - which can take months. As for "follows up [..] maybe working on it": your very words indicate you're aware of the problem here: vendors often _aren't_ working on it, and won't until forced to by public awareness of the problem - and they know they can trust CERT to stay quiet and not kick up that awareness. The only definitely positive portion left is the trusted channel for announcing fixes. And even that doesn't seem to be working; I still haven't seen a CERT advisory about either of the last two sendmail bugs. Their mission - their very name - is to respond; I haven't seen any sign of response at all. Mercifully for the security of my system, I no longer depend on them. > However, if your definition of worthwhile is "Broadcasts details of > the bug to only those people who are on a particular network or > subscription list, including bad guys and hacker 'wannabes,' before > there is any fix available" then [...] are varying degrees more > "worthwhile." All I can ever hope to do is broadcast to people who are listening; that's all even CERT can do. And if you really think there are no black hats at CERT or the vendors CERT tells, again I think you're deluding yourself. As for "before there is any fix available", _I_ would certainly rather know "<foo> is a security hole", even without a fix, than sit on my thumbs because I don't know any better. (Of course, I'd still rather know enough about it to tell whether my particular version of <foo> is vulnerable.) Also, history indicates that fixes won't become available from vendors, regardless of the seriousness of the problem, until enough white hats find out to start kicking up a fuss. But if full details are released, fixes start appearing magically from all over the place, as different people independently secure their systems. The quickest way for _me_ to get a fix for _my_ system is, experience teaches, full disclosure. That's why I don't feel CERT is worthwhile - they don't disclose until forced to - and even an active problem - in the meantime they soak up valuable bug reports that could well have provoked real fixes fast if sent somewhere public instead. der Mouse mouse@collatz.mcrcim.mcgill.edu